TOR on Academic networks (problem)

Michael Holstein michael.holstein at
Wed May 17 16:57:31 UTC 2006

>>iptables -t nat -A POSTROUTING -p tcp -d <ip of journal> --dport 80 -j DNAT
>>--to-destination <ip of you webserver>

FreeBSD here, but I'll try something along those lines.

> Still, I would also agree that rejecting *:80 would be the best until
> this IP as authentication issue is resolved.

Since the /etc/hosts approach posions the DNS for clients, it now seems 
the better (although not ideal) approach is to allow legitimate DNS 
lookups, and then just blackhole the traffic. After 15 seconds, the 
client will give up and pick another node.

In reality, what I should do is just get a new /24 and put all the 
potentially bad stuff in there. Only problem is it'd be a subassignment 
since ARIN dosen't do a /24, and that gives people a "higher" place to 
complain. At least now, there's nobody besides us that folks can fuss at 
(unless they want to try and whine to our routing peers and get laughed at).

In ~6 months of running an exit, this is the first time this has ever 
been an issue .. so it hardly seems worth the effort .. but the 
potential for getting into hot water involving the contracts with 
publishers means I've got to do something.



More information about the tor-talk mailing list